Bug 1041210

Summary: [RFE][nova]: Generate rootwrap filters from code annotations
Product: Red Hat OpenStack Reporter: RHOS Integration <rhos-integ>
Component: RFEsAssignee: RHOS Maint <rhos-maint>
Status: CLOSED UPSTREAM QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: markmc, yeylon
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://blueprints.launchpad.net/nova/+spec/rootwrap-autogen-filters
Whiteboard: upstream_milestone_none upstream_status_unknown upstream_definition_obsolete
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-19 17:45:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description RHOS Integration 2013-12-12 13:58:28 UTC 
Cloned from launchpad blueprint https://blueprints.launchpad.net/nova/+spec/rootwrap-autogen-filters.

Description:

Currently rootwrap filters are defined separately from the code that requires them. The link is somehow documented in comments in the filter files but this is clearly suboptimal, and can for example lead in keeping extra filters for commands that are no longer needed.

Almost quoting Dan Berrange:
It would be possible to auto-generate this entire config file, by adding some simple source code annotations or magic comments, at the place where the commands are actually used:

    @nova.rootwrap(['compute'], 'kpartx', 'CommandFilter, /sbin/kpartx, root')
    def map_dev(self):
        """Map partitions of the device to the file system namespace."""
          ....snip....
            _out, err = utils.trycmd('kpartx', '-a', self.device,
                                     run_as_root=True, discard_warnings=True)

and then have  a script that reads the source annotations to generate this compute.filters.

Specification URL (additional information):

None